Art Alexion on 15 Sep 2004 15:24:02 -0000

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[PLUG] Open source risk issue

Here is an article from the latest Linux Pipeline newsletter which discusses the problem of presumed open source code that later turns out to have been proprietary.  The author proposes two solutions that puts the onus on the recipient of the code  -- I think that is wrong.  Law rarely changes solely because of the public interest.  It is only when money interests happen to coincide with the public's that good things happen.

That is the origin of the two legal principles of the ¨Buyer in the Ordinary Course of Business¨ (BuyOCOB) and the ¨Holder in Due Course¨ (HDC).  The former protects the buyers of seemingly legitimate products that ultimately turn out to be stolen, and the latter protects those who unwittingly pass on bad checks.

To be a BuyOCOB, you have to have purchased the thing from a ¨Dealer in goods of that Kind¨ (DIGOTK).  Buying a Rolex from a smelly guy in the subway won't get you BuyOCOB status, but buying from an [unknown to you] unscrupulous storefront at 8th & Sansom will.  Without the BuyOCOB rule, commerce freezes -- not just for wary buyers, but for legitimate dealers and middlemen also.  One should not have to worry every time they buy something  that the seller has the right to sell it.

The HDC rule is from older times when checks and other commercial paper were often bought and sold numerous times before cashed.  At this point, the rule is used most often by check cashing agencies and holders of bearer bonds.  (Note on the monied interest point: a HDC has rights against the original check writer -- not the bank it was drawn on.)

The better solution to the purloined code issue is to adopt a BuyOCOB-type rule rather than putting the burden on the innocent code recipient.  This promotes open source development and assures users of open source software that they are not at risk for doing so.  The only reason it doesn't now apply to open source software is that the software is normally free, so the user is not a buyer.  Nonetheless, it satisfies the monied interests because it is only when large businesses feel safe using open source software that they will use it on a large scale.

[sorry for the HTML, but I thought the original article read better in its original format.]

1. EDITOR'S NOTE: Manageable Problem

We can expect chowderheads both inside and outside the Linux community to make a big deal out of today's top story.

A service provider named Furthermore claims an open-source project got a hold of some of its proprietary code and released the code as open source. Since then, several companies have included Furthermore code in their own projects, the company claims.

Open source opponents ( *koff* Microsoft *koff*) are sure to jump on this story triumphantly, as proof of the superiority of proprietary software development.

Some open source advocates will respond by screwing their fingers in their ears and sing, loudly, "La la la la la la there's no problem here la la la." Some of these advocates will take their fingers out of their ears long enough to write nasty e-mail to Linux Pipeline. Some of them are already writing hate mail to Furthermore.

In fact (1) there is a problem here but (2) it's manageable.

The problem is this: If you're a proprietary software developer, what do you do if you believe your code was wrongly released as open source? Right now, the only solution is to try to track down everyone who used the code and get them to pay you for it. If that doesn't work, sue everybody who'll stand still long enough to be served with papers.

Likewise, if you're a user, how do you make sure that code advertised as open source is, in fact, legitimate? You don't want to run the business on open source, only to have someone knock on the door months or years later and tell you the software isn't open source after all, and you need to pay up. That can be a real day-ruiner, as well as leading to a career change from information technology to the glamorous world of waste disposal (e.g., picking up waste paper in the park with a big, pointy stick).

These are legitimate problems. They are also on their way to being solved. A company called Open Source Risk Management reviews code in open-source projects to certify their legitimacy, and will insure open-source users and developers against claims of intellectual property theft.

Also, Pamela Jones, author of the popular Groklaw blog, is working on Grokline, a collaborative project to document the intellectual property ownership of Unix and Unix-like code.

According to the project home page, Grokline is "designed to carefully trace the ownership history of UNIX and UNIX-like code with the goal of reducing, or eliminating, the amount of software subject to superficially plausible but ultimately invalid copyright, patent and trade secret claims against Linux or other free and open source software. If there is any code out there that represents a conceivable risk of that kind, we'd like to identify it and mitigate the litigation risk now. If there isn't any valid claim that can be made, we'd like to be able to prove it."

Grokline and the OSRM efforts come as open source faces increasing pressures from private intellectual property concerns. OSRM identified 283 patents that could pose a threat to Linux, including two dozen owned by Microsoft.

And, while support from big companies like IBM and Novell has been a benefit for Linux, those companies have their own agendas, which may not always be in alignment with the open-source community.

And of course there's the SCO lawsuit. 'Nuff said about that.

Threats by proprietary vendors who believe their intellectual property rights were infringed are a problem for the open-source community--but the problem is manageable. We'll bring you more news about the open-source community's protections against intellectual property claims in coming weeks.

By the way, earlier I wrote about hate mail, and I have to say I'm disappointed with you all. It used to be whenever we ran something critical of Linux or open source, we could count on at least a half-dozen nasty, expletive-filled diatribes in e-mail. But now the nastygrams have slowed to a trickle, and the ones we do get are the more-in-sorrow-than-in-anger kind ("I used to have a lot of respect for your opinions, Mr. Wagner, but now I have to say I am gravely disappointed.... ")

Hop to it, people! You're letting me down! I want to see some real psycho screeds in my in-box by tomorrow--the kind of stuff that makes me want to hire bodyguards! Work yourselves up to a self-righteous rage and get to work!

Mitch Wagner
Editor, Linux Pipeline


Art Alexion
Arthur S. Alexion LLC
arthur [at] alexion [dot] com
aim: aalexion
sms: 2679725536 [at] messaging [dot] sprintpcs [dot] com

PGP fingerprint: 52A4 B10C AA73 096F A661  92D2 3B65 8EAC ACC5 BA7A
The attachment -- signature.asc -- is my electronic signature; no need for alarm.
Info @

Key for signed PDFs available at
The validation string is TTJY-ZILJ-BJJG.

Attachment: signature.asc
Description: OpenPGP digital signature